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Secure communication plays a crucial role in the Internet Age. Quantum mechanics may revo¬ 
lutionise cryptography as we know it today. In this Review Article, we introduce the motivation 
and the current state of the art of research in quantum cryptography. In particular, we discuss 
the present security model together with its assumptions, strengths and weaknesses. After a brief 
introduction to recent experimental progress and challenges, we survey the latest developments in 
quantum hacking and counter-measures against it. 


With the rise of the Internet, the importance of cryptog¬ 
raphy is growing every day. Each time we make an on-line 
purchase with our credit cards, or we conduct financial 
transactions using Internet banking, we should be con¬ 
cerned with secure communication. Unfortunately, the 
security of conventional cryptography is often based on 
computational assumptions. For instance, the security 
of the RSA scheme [T], the most widely used public-key 
encryption scheme, is based on the presumed hardness 
of factoring. Consequently, conventional cryptography 
is vulnerable to unanticipated advances in hardware and 
algorithms, as well as to quantum code-breaking such as 
Shor’s efficient algorithm [2] for factoring. Government 
and trade secrets are kept for decades. An eavesdropper. 
Eve, may simply save communications sent in 2014 and 
wait for technological advances. If she is able to factorise 
large integers in say 2100, she could retroactively break 


the security of data sent in 2014. 

In contrast, quantum key distribution (QKD), 
the best-known application of quantum cryptography, 
promises to achieve the Holy Grail of cryptography— 
unconditional security in communication. By uncondi¬ 
tional security or, more precisely, e-security, as it will 
be explained shortly (see section discussing the security 
model of QKD), Eve is not restricted by computational 
assumptions but she is only limited by the laws of physics. 
QKD is a remarkable solution to long-term security since, 
in principle, it offers security for eternity. Unlike conven¬ 
tional cryptography, which allows Eve to store a classical 
transcript of communications, in QKD, once a quantum 
transmission is done, there is no classical transcript for 
Eve to store. See Box 1 for background information on 
secure communication and QKD. 


Box 1 I Secure communication and QKD. 

Secure Communication: Suppose a sender, Alice, would like to send a secret message to a receiver. Bob, through 
an open communication channel. Encryption is needed. If they share a common string of secret bits, called a key, 
Alice can use her key to transform a plain-text into a cipher-text, which is unintelligible to Eve. In contrast. Bob, 
with his key, can decrypt the cipher-text and recover the plain-text. In cryptography, the security of a crypto-system 
should rely solely on the secrecy of the key. The question is: how to distribute a key securely? In conventional 
cryptography, this is often done by trusted couriers. Unfortunately, in classical physics, couriers may be brided or 
compromised without the users noticing it. This motivates the development of quantum key distribution (QKD). 
Quantum Key Distribution: The best-known QKD protocol (BB84) was published by Bennett and Brassard in 
1984 [3]. Alice sends Bob a sequence of photons prepared in different polarisation states, which are chosen at random 
from two conjugate bases. For each photon. Bob selects randomly one of the two conjugate bases and performs a 
measurement. He records the outcome of his measurement and the basis choice. Through an authenticated channel, 
Alice and Bob broadcast their measurement bases. They discard all polarisation data sent and received in different 
bases and use the remaining data to generate a sifted key. To test for tampering they compute the quantum bit error 
rate (QBER) of a randomly selected subset of data and verify that the QBER is below a certain threshold value. By 
applying classical post-processing protocols such as error correction and privacy amplification, they generate a secure 
key. This key can be used to make the communication unconditionally secure by using a one-time-pad protocol [4]. 
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One-time-pad protocol: The message is represented by a binary string. The key is also a binary string of the 
same length as the message. For encryption, a bitwise exclusive-OR (XOR) is performed between the corresponding 
bits of the message and the key to generate a cipher-text. Decryption is done by performing a bitwise XOR between 
the corresponding bits of the cipher-text and the key. For one-time-pad to be secure, the key should not be re-used. 


Achievements and future goals in QKD. On the 

theory side, a landmark accomplishment has been rig¬ 
orous security proofs of QKD protocols. Recently, a 
“composable” definition urn of the security of QKD 
has been obtained. Stable QKD over long distances (of 
the order of 100 km) has been achieved in both fibres 
and free-space laiHi. Commercial QKD systems are cur¬ 
rently available in the market. Field test demonstrations 
of QKD networks have been done [SflE]. High detec¬ 
tion efficiency single-photon detectors at telecom wave¬ 
lengths have been developed pTh2Q] . In short, QKD 
is already mature enough for real-life applications. As 
an illustration. Fig. shows the tremendous progress 
that has been made in free-space QKD over the last two 
decades. It compares the first lab demonstration per¬ 
formed in 1992 [ 21 ] with two recent QKD implementa¬ 
tions that connect, respectively, two Canary Islands jS] 
and a ground station with a hot-air balloon [ 22 |. 

And, what researchers are aiming to do now? As will 
be discussed in the rest of the paper, to guarantee un¬ 
conditional security in actual QKD implementations, re¬ 
searchers are working hard to bridge the gap between 
theory and practice. Also, the development of high-speed 
QKD systems, together with the ability of multiplexing 
strong classical signals with weak quantum signals in the 
same optical fibre, for example, via wavelength division 
multiplexing (WDM), are major research challenges of 
the field. Moreover, researchers are studying QKD net¬ 
work set-ups with both trusted and untrusted nodes. The 
feasibility of ground to satellite QKD has also attracted 
a lot of research attention [ 22 l [23| . 

Security model of QKD 

Intuitively speaking, the security of QKD is measured 
with respect to a perfect key distribution scheme where 
Alice and Bob share a true random secret key. More 
precisely, we say that a QKD system is e-secure if and 
only if the probability distribution of an outcome of any 
measurement performed on the QKD scheme and the re¬ 
sulting key deviates at most e from the one of the perfect 
key distribution protocol and the perfect key 
A typical value for e is 10“^^. However, in principle Al¬ 
ice and Bob could select e as small as they want, just by 
applying enough privacy amplification. 

Of course, since a secret key is a resource for other 
cryptographic protocols {e.g., the one-time-pad method), 
it is not enough to consider the security of the QKD 
protocol alone. Instead, one has to evaluate the security 


of the generated key when it is employed in a crypto¬ 
system. This notion is known as “composable” security. 
Fortunately, QKD is composably secure miSlllll. That 
is, if we have a set of cryptographic protocols (which may 
include QKD), each of them having a security parameter 
ei, as part of a certain cryptographic scheme, then the 
security of the whole system is given by . 

Progress in security proofs. Once we have presented 
the security definition of QKD, next we discuss the se¬ 
curity of a particular QKD implementation: the BB84 
scheme [3]. In its original theoretical proposal, Alice 
sends Bob single-photon states. However, as practical 
and efficient single-photon sources are yet to be realised, 
most implementations of the BB84 protocol are based 
on phase-randomised weak coherent state pulses (WCPs) 
with a typical average photon number of O.I or higher. 
These states can be easily prepared using standard semi¬ 
conductor lasers and calibrated attenuators. The main 
drawback of these systems, however, arises from the fact 
that some signals may contain more than one photon pre¬ 
pared in the same quantum state. If Eve performs, for 
instance, the so-called Photon-Number-Splitting (PNS) 
attack [25] on the multi-photon pulses, she could obtain 
full information about the part of the key generated with 
them without causing any noticeable disturbance. That 
is, in BB84 only the single-photon states sent by Alice 
and detected by Bob can provide a secure key. For¬ 
tunately, to distill a key from these single-photon con¬ 
tributions it is enough if Alice and Bob can estimate a 
lower bound for the total number of such events, z.e., they 
do not need to identify which particular detected pulses 
originate from single-photon emissions [26|. In the case 
of the BB84 scheme, this estimation procedure must as¬ 
sume the worst case scenario where Eve blocks as many 
single-photon pulses as possible. As a result, it turns out 
that its key generation rate scales as 77 ^, where 77 denotes 
the transmittance of the quantum channel. This quantity 
has the form 77 = 10 “^, where a is the loss coefficient 
of the channel measured in dB/km {a ~ 0.2 dB/km for 
standard commercial fibres) and d is the covered distance 
measured in km. 

In reality, however. Eve may not be monitoring the 
quantum channel and performing a PNS attack. To im¬ 
prove the achievable secret key rate in general, therefore, 
is necessary to estimate more precisely the amount of 
single-photon pulses detected by Bob. This can be done 
using the so-called decoy-state method [T7H36] , which can 
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FIG. 1. I Progress in free-space QKD implementations, a, First free-space demonstration of QKD [ 2 T] realised two 
decades ago over a distance of 32cm. The system uses a light emitting diode (LED) in combination with Pockels Cells to 
prepare and measure the different signal states, b, Entanglement-based QKD setup connecting the Canary Islands of La Palma 
and Tenerife [8]. The length of the optical link is 144km. c, Schematic diagram of a decoy-state BB84 QKD experiment 
between ground and a hot-air balloon [22]. This demonstration can be seen as a first step towards QKD between ground and 
Low Earth Orbit Satellites. In the figure: (HWP) half-wave plate, (MON) monitor window, (MIR) mirror, (ATT) attenuator, 
(DM) dichroic mirror, (532LD) 532nm laser, (ESM) fast steering mirror, (671LD) 671nm laser, (532D) 532nm detector, and 
(IE) interference filter. Eigures from: a. Ref. [21]; b. Ref. [8]; and c. Ref. [22]. 


basically reach the performance of single-photon sources, 
where the key generation rate scales linearly with 77 . The 
procedure is as follows. Instead of sending signals of equal 
intensity, Alice chooses first the intensity for each sig¬ 
nal at random from a set of prescribed values. States 
sent in one particular intensity are called signal states, 
whereas the states sent with other intensities are called 
decoy-states. Once Bob has detected all the signals, Al¬ 
ice broadcasts the intensity used for each pulse. A crucial 
assumption here is that all other possible degrees of free¬ 
dom of the signals (apart from the intensity) are equal 
for all of them. This way, even if Eve knows the total 
number of photons contained in a given pulse, her deci¬ 
sion on whether or not send that signal to Bob cannot 
depend on its intensity. That is, Eve’s decision is based 
on what is known a priori. Consequently, the probability 
of having a detection event given that Alice sent a single¬ 
photon pulse is the same for the signal and decoy pulses. 
As a result, Alice and Bob can estimate the fraction of 
detected events that arise from single-photons more pre¬ 
cisely. This technique is rather general and also very 
useful for other quantum cryptographic protocols [37]. 

Experimental implementations 

Experimental realisations of QKD have made a huge 
progress in the last two decades. In practice, the sig¬ 
nal transmission can be done through free-space (using 
a wavelength around 800nm) or through optical fibres 
(using the second or third telecom windows, Le., wave¬ 


lengths around 1310nm and 1550nm, respectively). Also, 
current set-ups use different degrees of freedom to encode 
the relevant information into the optical pulses. As al¬ 
ready introduced, an obvious choice for this is to employ 
the polarisation state of the photons. This technique, so- 
called polarisation coding, is mostly used in free-space 
QKD links. For optical fibre transmission, however, one 
usually selects other coding options such as, for exam¬ 
ple, phase-coding, time-bin coding or frequency coding. 
This is so because polarisation in standard fibres is more 
susceptible to disturbances due to birefringence and en¬ 
vironmental effects. 

Fig. 2a shows conceptually how simple is the basic set¬ 
up for the decoy-state BB84 protocol when Alice and Bob 
use polarisation coding. The expected secret key rate 
(per pulse) as a function of the distance is illustrated in 
Fig. 2b. The cut-off point where the secret key rate drops 
to zero depends on the parameters of the system (spe¬ 
cially, on the channel transmission and on the efficiency 
and dark count rate of Bob’s detectors), and is typically 
around 150-200km. For comparison, as shown in the Fig¬ 
ure, (the corresponding lower bound on) the secret key 
rate for the standard BB84 protocol without decoy-states 
is much lower. Fig. 2c shows a photo of a fibre-coupled 
modularly-integrated decoy-state BB84 transmitter de¬ 
veloped by Los Alamos group [38]; it is similar in size to 
an electro-optic modulator. 

Alice and Bob may enlarge further the covered dis¬ 
tance by using entanglement-based QKD protocols [ast 
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FIG. 2. I Experimental QKD. a, Schematic diagram of the decoy-state BB84 protocol [TfH36] based on polarisation coding. 
Four lasers are used to prepare the polarisations needed in BB84. Decoy-states are generated with an intensity modulator (AM). 
On Bob’s side, a 50 : 50 beam-splitter (BS) is used to passively ensure a random measurement basis choice. Active receivers are 
also common. In the hgure: (PM) phase modulator, (M) mirror, (F) optical hlter, (I) optical isolator, (R) polarisation rotator, 
and (PBS) polarising beam-splitter, b. Lower bound on the secret key rate (per pulse) in logarithmic scale for a BB84 set-up 
with two decoys (green line) [30]. In the short distance regime, the key rate scales linearly with the transmittance, rf. (Red line) 
standard BB84 protocol without decoy-states ElES]; its key rate scales as rf. c. Photo of a hbre-coupled modularly-integrated 
decoy-state BB84 transmitter based on polarisation coding [38]; it produces decoy-state BB84 signals at a repetition rate of 10 
MHz. d. Performance of the SwissQuantum network m- This network run for more than one and a half years in the Geneva 
metropolitan area, Switzerland. The data shown in the hgure corresponds to a QKD link of 14.4km; it highlights how stable 
current QKD set-ups are. Figures from: c. Ref. [38]; and d. Ref. m- 


[42], as these schemes can tolerate higher losses (up to 
about 70 dB) than WCP-based protocols. For instance, 
they could employ a parametric down-conversion source 
to generate polarisation entangled photons that are dis¬ 
tributed between them. This source could be even con¬ 
trolled by Eve, and it can be placed in the middle be¬ 
tween the legitimate users. On the receiving side, both 
Alice and Bob measure the signals received using, for ex¬ 
ample, a BB84 receiver like the one shown in Fig. 2a. 
Two drawbacks of this approach are, however, that the 
systems are more involved than those based on WCPs, 
and their secret key rate is usually lower in the low loss 
regime. Alternatively to polarisation coding, one can use 
as well, for instance, energy-time entangled photon pairs. 

For shorter distances (say below 100km), there are 
other solutions that are simpler to implement experimen¬ 
tally. These are the so-called distributed-phase-reference 
QKD protocols [434145] . They differ from standard QKD 
schemes in that now Alice encodes the information co¬ 
herently between adjacent pulses, rather than in indi¬ 
vidual pulses. This approach includes the differential- 
phase-shift (DPS) [43] [44] and the coherent-one-way 


(COW) [45] protocols. In the former, Alice prepares a 
train of WCPs of equal intensity and modulates their 
phases. On the receiving side. Bob uses a one-bit de¬ 
lay Mach-Zehnder interferometer, followed by two single¬ 
photon detectors, to measure the incoming pulses. Sim¬ 
ilarly, in the COW protocol all pulses share a common 
phase but now Alice varies their intensities. 

An important issue in any QKD implementation is 
its reliability and robustness in a real life environment. 
Fig. 2d shows the performance (as a function of time) of 
a QKD link from the SwissQuantum network installed 
in Geneva, Switzerland m- It demonstrates the high 
stability of current QKD systems. 

The protocols described above belong to the so- 
called discrete-variable QKD schemes. Another inter¬ 
esting option is to use continuous-variable systems (CV- 
QKD) [464(48] . The key feature of this solution is that 
now the detection device consists of (homodyne or het¬ 
erodyne) measurements of the light-held quadratures. 
Consequently, these protocols can be implemented with 
standard telecom components and do not require single¬ 
photon detectors, which makes them also very suitable 
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for experimental realisations. 

QKD components and data-processing. For the op¬ 
tical layer of a QKD system, the following components 
are typically needed: 

1. Light sources: Attenuated laser pulses can be used 
as the signal source in QKD. It is standard to model the 
signal as a WCP. By applying a global phase randomisa¬ 
tion, the state becomes a classical mixture of Fock states 
(z.e., states of different photon numbers) with Poissonian 
distribution. 

2. Single-photon detectors: Single-photon detection is 
the ultimate limit of the detection of light. It is important 
not only in QKD applications, but also in sensitive mea¬ 
surements in astronomy and bio-medical physics. Tra¬ 
ditionally, two different types of detectors—Silicon de¬ 
tectors and InGaAs detectors—have been widely used in 
QKD. Silicon detectors are broadly employed for visible 
wavelengths (e.^., SOOnm) and in free-space implemen¬ 
tations. They have rather high detection efficiency of 
around 50%. InGaAs avalanche photodiodes (APDs) are 
often used in telecom wavelengths and in fibre optical 
communication. Previously, they suffered from low de¬ 
tection efficiency of around 15%. Another drawback of 
InGaAs APDs was that they had a rather long dead¬ 
time after a detection event, which severely limited the 
detection repetition rate to only a few MHz. In the last 
few years, however, new detector technologies have been 
developed for QKD applications. This includes, for ex¬ 
ample: self-differencing APDs gg EO], the sine wave 
gating technique [5TH53] . a hybrid approach combining 
these last two methods [54], as well as superconducting 
nanowire single-photon detectors (SNSPDs) [17], which 
all can operate at GHz detection repetition rate. Also, 
the detection efficiency of InGaAs APDs has been im¬ 
proved to about 50% at 1310nm [20], and new types of 
SNSPDs with a very high detection efficiency of around 
93% have been developed [Mig. The main drawback 
of these novel SNSPDs [T7HT9], however, is their oper¬ 
ating temperature, which is at the moment of the order 
of 0.1 K. The dark count rate of these high efficiency 
SNSPDs [TTHIS], of the order of 100 Hz, can be substan¬ 
tially improved by better rejection of ambient photons 
using optical band-pass filters at the input port of the 
SNSPDs [55]. 

3. Standard linear optical components: polarising 
beam-splitters, beam-splitters, amplitude modulators 
and phase modulators are widely used in QKD appli¬ 
cations. 

4 . Random number generators: Random num¬ 
bers are needed for basis choice, bit value choice, 
phase-randomisation, intensity choice in the decoy-state 
method as well as for data post-processing. High-speed 
random number generation is a key bottleneck in current 
QKD. Fortunately, there have been a lot of research ac¬ 
tivities in the subject. Quantum mechanics offers true 


randomness from the laws of physics [56]. A simple way 
to build a quantum random number generator (QRNG) is 
to send a WCP through a 50 : 50 beam-splitter and put 
two single-photon detectors on the two outgoing arms. 
The actual bit value (0 or 1) generated depends on which 
detector detects a photon. Other methods [571459] to de¬ 
sign QRNGs such as using phase noise m also exist. 

5. Classical post-processing techniques: Processes such 
as post-selection of data (typically called sifting), error 
correction and privacy amplification are used to correct 
errors in the quantum transmission and to remove any 
residual information that Eve might have on the raw 
key. The final result is a key shared by Alice and Bob 
that Eve almost surely has absolutely no information 
about. A bottleneck in high-speed QKD is the computa¬ 
tional complexity of classical post-processing protocols, 
together with the processing of huge raw data in a very 
short time. Eortunately, progresses have been made for 
algorithm speed-up using hardware-based (e.^., EPGA) 
solutions [7]. 

6. Authenticated channel: Eor QKD to work, besides 
a quantum channel, Alice and Bob need to share an au¬ 
thenticated classical channel. Eortunately, only a rather 
short authentication key is needed for this. Such an au¬ 
thentication key may be provided in the initial shipment 
of the QKD system through a temper-resistant device. 
Once a QKD session has succeeded, one can refurbish 
the authentication key from the key generated by QKD. 
In this sense, QKD is a key growing protocol. 

If initially there is no shared key between Alice and 
Bob, they may also use a classical solution for authentica¬ 
tion based on computational assumptions via a certifying 
authority, which is a standard protocol in the Internet. 
Provided that such an authentication scheme is unbroken 
for a short period of time during the first QKD session, 
the first QKD session will be secure and will generate the 
subsequent authentication keys. 

Industrial/application perspectives. The field of 
QKD attracts both fundamental research and industrial 
interests. As mentioned above, there are already com¬ 
mercial products that offer encryption solutions based 
on this technology. Also, QKD networks have been re¬ 
cently deployed in USA [9], Austria m, Switzerland m, 
Ghina [MU] and Japan m- As an illustration, Eig. 3a 
shows the current structure of the Tokyo QKD net¬ 
work m- It uses an architecture based on trusted nodes, 
which are separated by distances that range between 1km 
to 90km. The network consists of three main layers: a 
QKD layer, a key management layer, and an application 
layer. In the former, QKD systems that connect neigh¬ 
bouring nodes generate secret key material continuously, 
ie., without any maintenance [7]. This key, of the order 
of 300 Kbps when the link loss is around 14.5 dB [15], is 
forwarded to a key management agent placed in the key 
management layer. This agent monitors the key genera- 
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FIG. 3. I QKD networks, a, Schematic representation of the layer structure of the Tokyo QKD network which is based 
on a trusted node architecture. From the viewpoint of the users, the QKD layer and the key management layer can be treated 
as a black box that supplies them a secure key. On the application layer, they can enjoy applications such as secure video 
meetings and secure communication using smart phones. Different QKD networks have been implemented as well in other 
countries; see, for instance, [9l414]. b, (Upper subhgure) Downstream versus upstream passive quantum access network. In the 
upstream approach US], the single-photon detectors are located only at the network node. This may reduce the costs of the 
network and allow a more efficient use of its detectors’ bandwidth. (Lower subhgure) Estimated secret key rate per user for an 
upstream solution as a function of the distance and the number of active users in the network for various network capacities. 
Figures from: a, adapted from Ref. US); and b. Ref. m- 


tion rate and the amount of stored key. Secure commu¬ 
nication is possible between any nodes in the network by 
relaying on the secret key that is controlled by command 
of the key management server. From the viewpoint of the 
users, the QKD layer and the key management layer can 
be treated as a black box that supplies them a secure 
key. Such network could be employed, for instance, to 
provide secure communications with smart phones. Any 
time a user needs a fresh secret key to protect his com¬ 
munication over the phone, he could connect to the QKD 
network and store in his device the key obtained for later 
use m- Also, new architectures for QKD networks have 
been recently proposed by the Toshiba group and by Los 
Alamos group. Fig. 3b compares the upstream passive 
quantum access network implemented by Toshiba m 
with a downstream approach, whereas Fig. 2c is the com¬ 
pact transmitter prepared by Los Alamos group [38] . 

Lately, QKD systems have been used in the Swiss na¬ 
tional elections to protect the line that transmitted the 
ballots to the counting station. Also, they have secured a 
communication link at the 2010 FIFA World Cup compe¬ 
tition in Durban, South Africa. Other potential applica¬ 
tions of QKD include, for example, offsite backup, enter¬ 
prise private networks, critical infrastructure protection, 
backbone protection and high security access networks. 


Technological challenges. As mentioned in the in¬ 
troduction, researchers are working on designing and 
building high-speed QKD systems m and the ability 
of multiplexing strong classical signals with weak quan¬ 
tum signals in the same optical fibre [62h64] . Theorists 
are developing sophisticated techniques to increase the 
key generation rate (which is currently limited to about 
1 Mbps [65h69] ) and deal properly with various device 
imperfections of QKD implementations. To extend the 
distance of QKD, the ideas of both trusted and untrusted 
relay nodes have been studied. There has also been much 
interest in the concept of ground to satellite QKD. We 
will survey some of these recent efforts here. 

Multiplexing techniques: Very recently, a field-test of 
a QKD system that multiplexes two quantum channels 
in the third telecom window using WDM has been per¬ 
formed [Tj- The result is a very stable key generation 
rate from both channels over 30 days of operation with¬ 
out maintenance. This promising work confirms the pos¬ 
sibility of using WDM techniques in QKD in order to 
increase its secure bit rate. Importantly, alternative re¬ 
sults have also shown that quantum signals can be com¬ 
bined as well with strong conventional telecom traffics 
in the same fibre [621464] . thus showing the feasibility 
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of integrating QKD into existing fibre optical networks. 
In [63], for example, a QKD channel is located at 1310nm, 
while classical channels use the third telecom window. A 
slight drawback of this solution, however, is the higher 
transmission loss of the fibre at 1310nm, which limits 
the achievable QKD rate and distance. Alternatively, 
in |62j [64| both the quantum and classical channels use 
wavelengths around 1550nm. In so doing, [62] achieves, 
for instance, a secure key rate exceeding 1 Mbps over 
35km of fibre when the intensity of the classical sig¬ 
nals is around —18.6 dBm. Remarkably, the same re¬ 
search group has shown that QKD is also possible in a 
high data laser power environment of around 0 dBm [64] . 
In this case, the secret key rate is of the order of hun¬ 
dreds of Kbps over 25km of fibre. On the other hand, it 
turns out that CV-QKD systems can also be quite robust 
against noise from strong telecom traffics due to multi¬ 
plexing nnnH]. This is so because the local oscillator 
serves as a “mode selector” m to suppress the noise. 

Development of the theory: The key generation rate 
can also be increased by developing better security analy¬ 
sis. A practical security proof must take into account the 
statistical fluctuations due to the finite data size. There¬ 
fore, the development of more sophisticated techniques 
for such analysis can result in higher key rates [2l[73[74]. 
Also, one could include modifications in the protocol such 
as, for instance, the use of a biased basis choice. 

Extending the QKD eoverage: Up to this point, we 
have discussed different alternatives to integrate QKD 
into existing fibre optical networks and to improve the 
key rate of the system. Another important parameter is 
the covered distance, which is typically limited to about 
350km (if one uses entanglement-based schemes). Of 
course, this upper limit could be improved if one em¬ 
ploys ultra-low loss fibres [45]. In general, one simple 
solution to overcome this distance limitation is to use 
trusted nodes, just like in the QKD networks presented 
previously. Note, however, that to achieve secure com¬ 
munication over long distances (say over 10, 000km) one 
needs many trusted nodes. Another possible solution 
is to use satellites, which could be employed both as 
trusted or untrusted nodes. In the former case, one can 
see the satellite as a trusted courier that can perform 
QKD as well as travel very fast around a certain orbit. 
This way, one could perform in the future QKD over 
the globe. Indeed, a preliminary QKD experiment be¬ 
tween ground and a hot-air balloon has been performed 
recently [22]; see also [23]. This demonstration is illus¬ 
trated in Fig. Ic. It can be seen as a first step towards 
QKD between ground and Low Earth Orbit Satellites. 
Here, the development of accurate pointing techniques 
is one of the key technologies. Satellites could also be 
employed to build a QKD network with untrusted nodes 
by using, for example, measurement-device-independent 
(MDI) QKD [75] (which will be discussed later in the 
subsection on “Counter-measures”), where the parties on 


the ground send quantum signals to the satellites that 
perform a joint measurement on the incoming signals. 
Also, one could place the source of an entanglement- 
based QKD protocol on a satellite and the receivers in 
the ground. 

Quantum hacking and counter-measures 

QKD can be proved secure in theory. However, are exper¬ 
imental implementations of QKD also secure? Security 
proofs rely on assumptions. Some of them are quite nat¬ 
ural, such as, for instance, the validity of quantum me¬ 
chanics. Other assumptions, however, are more severe, 
such as, for example, that Alice and Bob have an accurate 
and complete description of their physical apparatuses. 
Unfortunately, real-life realisations of QKD often present 
imperfections and rarely conform to the theoretical mod¬ 
els used to prove their security. As a result, there is a 
gap between the theory and the practice of QKD. Even 
though in principle QKD has been proven to be secure, 
practical systems may contain security loopholes, or so- 
called side-channels, which might be exploited by Eve to 
learn the distributed key without being detected. 

Indeed, this has been the case in recent attacks against 
certain commercial and research QKD set-ups [76]-[9T], 
where Eve employed some imperfections in the devices, 
specially in the single-photon detectors, to hack the sys¬ 
tem. But one should not be overly alarmed by this fact 
at this stage, as current realisations of QKD are still in 
the battle-testing phase. Every time a new commercial 
cryptographic scheme is introduced, it is rather common 
for its first versions to contain some security flaws in the 
implementation. During the battle-testing period, these 
flaws are typically found and fixed. As a result, the sys¬ 
tems become more and more secure. Also, it should 
be remarked that QKD is often combined with classi¬ 
cal cryptography; for instance, by performing a bitwise 
XOR operation between a classical key and a key ob¬ 
tained with QKD. In this sense, QKD can only improve 
the final security of the whole system, but not reduce it. 

Quantum hacking. What kind of imperfections can 
Eve exploit to hack a QKD system? In principle, QKD 
only secures the communication channel, so Eve may try 
to attack both the sources (z.e., the preparation stage of 
the quantum signals) and the measurement device. A list 
of various existing attacks on QKD set-ups can be found 
in Table ig The source is typically less likely to be a prob¬ 
lem. This is so because Alice can prepare her quantum 
signals (e.^., the polarisation state of phase-randomised 
WCPs) in a fully protected environment outside the in¬ 
fluence of the eavesdropper. This can be achieved, for 
instance, using optical isolators. Also, Alice can exper¬ 
imentally verify the quantum states emitted. Eor this, 
she can employ, for example, random sampling tech¬ 
niques. Therefore, it is reasonable to expect that Alice 
can characterise her source. Eortunately, in this situa- 


a 



b 





FIG. 4. I Examples of quantum hacking, a, Experimentally measured detection efficiency mismatch between two detectors 
from a commercial QKD system versus time shifts m This could be exploited by Eve to perform a time-shift attack m, 
i.e., she could shift the arrival time of each signal such that one detector has a much higher detection efficiency than the other, 
b, Working principle of the detector blinding attack [81]. By shining bright light into the detectors, Eve can make them leave 
the Geiger mode operation (used in QKD) and enter into the linear mode operation. In so doing, she can control which detector 
produces a “click” each given time and learn the entire secret key without being detected, c, Eull-held implementation of a 
detector blinding attack on a running entanglement-based QKD set-up [84]. Eigures from: a. Ref. [77]; b. Ref. [81], and c. 
Ref. [84]. 


Attack 

Target component 

Tested system 

Time-shift [TGUT^ 

Detector 

Commercial system 

Time-information |80| 

Detector 

Research system 

Detector-control |811183| 

Detector 

Commercial system 

Detector-control |84| 

Detector 

Research system 

Detector dead-time |85| 

Detector 

Research system 

Channel calibration |86| 

Detector 

Commercial system 

Phase-remapping |87| 

Phase modulator 

Commercial system 

Faraday-mirror |88| 

Faraday mirror 

Theory 

Wavelength |89| 

Beam-splitter 

Theory 

Phase information |90| 

Source 

Research system 

Device calibration |91| 

Local oscillator 

Research system 


TABLE I. Summary of various quantum hacking attacks 
against certain commercial and research QKD set-ups. 


tion, it is usually relatively easy to incorporate imperfec¬ 
tions of Alice’s state preparation process in the security 
proof [26l [92] . 


The problem with the measurement device of Bob is 
more subtle, as Eve is allowed to send in any signal she 
desires and, therefore, it is harder to protect Bob’s set¬ 
up against any possible attack. Indeed, most quantum 
hacking strategies are directed at Bob’s single-photon de¬ 
tectors [76H86] . which can be regarded as the Achilles’ 
heel of QKD. For instance. Eve could exploit their de¬ 
tection efficiency mismatch [76lf79] . This is illustrated 
in Fig. 4a. However, the most important hacking at¬ 
tack so far against the detectors of the system is the 
so-called detector blinding attack m- Here, Eve shines 
bright light into the detectors to make them enter into 
the so-called linear mode operation, where they are not 
longer sensitive to single-photon pulses but only to strong 
light pulses [81]. As a consequence. Eve can effectively 
fully control which detector produces a “click” each given 
time, just by sending Bob additional bright pulses. This 
way. Eve can learn the secret key completely. This is 
shown in Figs. 4b and 4c [84]. Other possible imperfec¬ 
tions that could be exploited include, for instance, the 
dead-time of the detectors [85] . 
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Counter-measures. A natural solution to recover secu¬ 
rity in QKD implementations would be to develop math¬ 
ematical models that perfectly match the behaviour of 
all QKD components and systems, and then incorpo¬ 
rate this information into a new security proof. Unfor¬ 
tunately, while this is plausible in theory, it is hard to 
realise in practice (if not impossible), as QKD compo¬ 
nents are complex devices. Currently, there are three 
main alternative approaches. 

The first one is to use security patches. Fortunately, 
every time a security loophole is found, usually it is al¬ 
ways quite easy to obtain a suitable counter-measure [93]- 
[96] . In so doing, one can guarantee security against 
known attacks. But note that the system might be de¬ 
feated by hacking advances. This scenario is similar 
to most classical cryptographic techniques, as here one 
abandons the provable security model of QKD. 

The second approach is called device-independent (DI) 
QKD [97HTnn]. See Fig. 5a. Here, Alice and Bob treat 
their devices as two “black boxes”. That is, they do not 
need to fully characterise their different elements. The 
security of DI-QKD relies on the violation of a Bell in¬ 
equality, which certifies the presence of quantum correla¬ 
tions. Unfortunately, due to the detection efficiency loop¬ 
hole (which requires a detection efficiency around 80% or 
higher), a loophole-free Bell test is still unavailable. In¬ 
deed, the high decoupling and channel loss, together with 
the limited detection efficiency of current single-photon 
detectors, renders DI-QKD highly impractical with cur¬ 
rent technology. Even if Alice and Bob try to compen¬ 
sate the channel loss by including a fair-sampling device, 
such as a qubit amplifier |1Q11 llQ2j or a quantum non¬ 
demolition measurement of the number of photons in a 
pulse, the resulting secret key rate of DI-QKD at practi¬ 
cal distances is unfortunately very limited (e.^., of order 
10“^^ bits per pulse) |1Q1[ 1102] . Of course, technology is 
improving and DI-QKD might still prove viable in say 10 
or 15 years. In summary, the first approach to counter 
the quantum hacking problem is ad hoc whereas DI-QKD 
is impractical nowadays. 

The third approach is MDI-QKD [75], which currently 
appears to be a possibly viable solution to the quan¬ 
tum hacking problem. See Figs. 5b and 5c. The main 
advantage of this approach is that it allows Alice and 
Bob to perform QKD with untrusted measurement de¬ 
vices, which can be even manufactured by Eve. In other 
words, MDI-QKD removes completely the weakest part 
of a QKD realisation, and offers an avenue to bridge the 
gap between theory and practice. The security of MDI- 
QKD is based on the idea of time reversal pTTi nnsj. 
Alice and Bob prepare quantum signals and send them 
to an untrusted relay, Charles/Eve, who is supposed to 
perform a Bell-state measurement on the signals received. 
The honesty of Charles can be verified by comparing a 
subset of the transmitted data. Most importantly, MDI- 


QKD can be implemented with standard optical com¬ 
ponents with low detection efficiency and highly lossy 
channels. The key rate of MDI-QKD is many orders of 
magnitude higher than that of DI-QKD and the experi¬ 
mental feasibility of MDI-QKD has been already demon¬ 
strated both in laboratories and via field-tests [10314106] . 
The key assumption in MDI-QKD is that Alice and Bob 
trust their sources. As noted earlier, this may not be an 
unreasonable assumption because, when compared with 
single-photon detectors that receive unknown quantum 
states prepared by Eve, Alice and Bob have a much 
better chance to monitor their own preparation process 
carefully within their own laboratories. In fact, as men¬ 
tioned before, source flaws can be taken care off in se¬ 
curity proofs [26| [92]. A slight drawback of MDI-QKD 
is, however, its relatively low secret key rate when com¬ 
pared to the decoy-state BB84 protocol. This is so be¬ 
cause MDI-QKD requires two-fold coincidence detector 
events which are suppressed due to the low detection ef¬ 
ficiency of standard InGaAs single-photon detectors. If 
one uses SNSPDs with 93% detection efficiency as the 
ones described previously, then such a disadvantage will 
disappear. Also, note that MDI-QKD could be used to 
build a QKD network with untrusted nodes, which would 
be desirable from a security standpoint. 

Outlook 

To further extend the distance of secure quantum com¬ 
munication, there have been a lot of research activities 
in “quantum repeaters” m, which allow entanglement 
to be swapped and distilled between different entangled 
pairs of photons. 

If MDI-QKD is widely deployed in the future, then the 
frontier of quantum hacking will shift towards attacking 
the source (rather than the detectors). It will become 
important to re-examine the various security assumptions 
used there (e.^., single-mode assumption, perfect global 
phase randomisation and no side-channels). The eternal 
welfare between the code-breakers and code-makers will 
continue. 

Owing to space limit, this article has focused on QKD. 
It should be noted that other applications of quan¬ 
tum cryptography such as quantum secret sharing, blind 
quantum computing and quantum coin flipping have also 
been proposed, whereas other protocols such as quantum 
bit commitment has been shown to be impossible without 
additional assumptions. 

To conclude, we highlight the deep connections of 
quantum cryptography with other areas of physics as well 
as mathematics and technology. Eor instance, the loop¬ 
holes in the security of practical QKD systems are closely 
related to the loopholes in the testing of Bell’s inequali¬ 
ties in the foundations of quantum mechanics. Quantum 
cryptography is also closely related to mathematics, in¬ 
formation theory and statistics as it widely uses concepts 
in those subjects. Eurthermore, quantum cryptography 
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FIG. 5. I Examples of counter-measures against quantum hacking, a, Schematic diagram of device-independent (DI) 
QKD [OThlOO] . Alice and Bob can prove the security of the protocol based on the violation of an appropriate Bell inequality. 
To overcome the channel loss, the system can include a so-called fair sampling device [1011110^ . In principle, DI-QKD can 
remove all side-channels in a QKD implementation, b. Schematic representation of measurement-device-independent (MDI) 
QKD [75]. Alice and Bob prepare WCPs in different BB84 polarisation states and send them to an untrusted relay Charles, 
who is supposed to perform a Bell state measurement (BSM) that projects the incoming signals into a Bell state. MDI-QKD 
removes all detector side-channels, which can be regarded as the Achilles’ heel of QKD. In comparison to DI-QKD, MDI-QKD 
has the advantage of being feasible with current technology. Indeed, proofs-of-principle demonstrations have been already done 
in [10311104] . and real QKD implementations have been realised in [10511106] . c. Field-test proof-of-principle demonstration of 
MDI-QKD realised in Calgary, Canada [103] . Figures from: c. Ref. [103] . 


provides much impetus to techuological developmeuts iu 
siugle-photou detectors, which cau also be used to im¬ 
prove quautum metrology aud seusiug aud coutribute to 
the ultimate goal of the coustructiou of large-scale quau¬ 
tum computers. 
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